RoyNexus
RoyNexus2mo ago

What's the best practice to keep out normal API app key secret from users?

We have two issues: 1. How we make sure all project collaborators can still keep a local key without Unity breaking references to the NormcoreAppSettings file? (This file is not git tracked) 2. How do we deploy binaries to clients without sharing that secret key?
4 Replies
kapa.ai
kapa.ai2mo ago
Hi @RoyNexus. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave: ---------------------- To keep your Normcore API app key secret from users, you can follow these steps: 1. For project collaborators, you can use a .gitignore file to exclude the NormcoreAppSettings file from your repository. This way, each collaborator can have their own local copy of the file with the key, and it won't be tracked or shared via Git. This should prevent Unity from breaking references to the NormcoreAppSettings file. 2. For deploying binaries to clients, you should ensure that the key is not embedded in the client-side code. Instead, you can use a server-side script to authenticate with Normcore servers. This script should be hosted on a secure server that you control, and it should communicate with the client-side code using secure methods. This way, the key is never exposed to the client. Please note that these are general best practices and may need to be adapted to your specific project and workflow. For more detailed guidance, you may want to consult the Normcore documentation (https://normcore.io/documentation) or contact NormalVR support. ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ----------------------
kapa.ai
kapa.ai2mo ago
<@362795742198235136> kapa.ai is still learning and improving, please let us know how it did by reacting below
maxweisel
maxweisel2mo ago
you can programmatically create NormcoreAppSettings objects whatever you’d use to obfuscate an API secret can be used with that method in two months or so we’re launching a new dashboard that will support a REST api for creating app keys. you can use that with your own server to only send app keys to clients that have verified their entitlement and aren’t patched too
RoyNexus
RoyNexus2mo ago
great, thanks for the reply. We'll do that for now then